Unseen Vulnerabilities: The Escalating Insider and Supply Chain Threats to Security of Critical Infrastructure

We invite you to either listen to the article or read the below.

Your supply chain is only as strong as its weakest link… In recent years, supply chain security incidents have exposed vulnerabilities in critical infrastructure both in Australia and overseas, underscoring the urgent need for a robust supply chain risk management framework.

The UK National Protective Security Authority warning

In October 2024, the UK National Protective Security Authority issued guidance warning about the increasing threat of sabotage allegedly orchestrated on behalf of the Russian state. The advisory highlighted that sabotage activities targeting critical assets and supply chains have become a significant concern across the UK and Europe. Sectors involved in operations that counter the interests of foreign powers, particularly Russia, face heightened risks, as these activities aim to undermine national security and disrupt operation of critical infrastructure.

Latest real-life cases

In August 2024, Qantas, Australia’s flagship airline, faced a significant insider threat incident involving its supply chain. The breach involved contractors working at a third-party service provider in India who had access to Qantas customer data, including sensitive personal information such as passport numbers. These contractors exploited their access to steal customer data, leading to a widespread scandal.

Additionally, a separate cyberattack targeted the Qantas Frequent Flyer program, where hundreds of customers’ accounts were compromised. This attack allowed malicious actors to steal points and personal information. The breach was compounded by poor security practices and inadequate oversight of third-party vendors responsible for managing parts of the Frequent Flyer program. Both incidents highlighted the vulnerabilities posed by third-party suppliers and the risks of insider threats resulting from inadequate supply chain oversight.

In October 2024, another high-profile case involved Yaqi X, an employee of a logistics company at Leipzig/Halle airport—a key hub for the German defence industry—who allegedly exploited her legitimate access to sensitive information. She is accused of passing details on flights, passengers, and military cargo to Chinese intelligence, underscoring the insider threat element within the supply chain and personnel security hazards.

The MOVEit supply chain attack in 2023 further exemplifies how vulnerabilities in supply chain management can lead to significant financial and operational damage. The attack affected over 1,150 organizations and compromised sensitive data from companies like the BBC and British Airways, with a global financial impact estimated between $6.5 billion to $11 billion. This breach exploited vulnerabilities in the MOVEit Transfer tool, causing reputational damage and major operational disruption for the affected organisations.

Supply chain security and the SOCI legislative framework

The Australian Government’s Security of Critical Infrastructure Act 2018 (SOCI Act) was introduced to address the complex and evolving risks facing critical infrastructure. The SOCI Act provides a risk-based, principles-driven framework to help organisations manage their unique security challenges through a holistic approach to risk identification and mitigation.

The SOCI Act covers 11 critical infrastructure sectors and 23 critical infrastructure sector classes, such as energy, water, telecommunications, and transport, all of which are interdependent. A disruption in one sector can create ripple effects across others. Entities responsible for these assets must comply with stringent legal obligations, including adopting and maintaining a Critical Infrastructure Risk Management Program (CIRMP). The CIRMP ensures that organisations can withstand, respond to, and recover from threats while maintaining essential services.

Under the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 (CIRMP Rules), organisations are required to manage supply chain hazards as part of their overall risk management. These hazards include internal and external threats, such as malicious actors exploiting supply chain vulnerabilities, misuse of access by third-party vendors, and over-reliance on key suppliers. Section 10 of the CIRMP Rules specifies that responsible entities must implement systems to manage these hazards effectively.

The CIRMP Rules also define a major supplier as any vendor whose products or services play a significant role in the security of critical infrastructure. Entities must not only track these suppliers but also develop strategies to mitigate any potential supply chain hazards, thereby minimizing the likelihood and impact of disruptions.

Pentagram Advisory’s Supply Chain Security Risk Management Framework:

At Pentagram Advisory, we have developed a comprehensive Supply Chain Security Risk Management Framework to help critical infrastructure organisations build resilience, mitigate risks, and address insider threats. Our approach focuses on three pillars:

  1. Supply Chain Resilience: We focus on building resilience by identifying critical dependencies within the supply chain and developing contingency plans. This includes:
    • Mapping supply chain dependencies to identify weak points.
    • Implementing flexible operational practices to reduce the impact of potential disruptions.
    • Regularly testing the resilience of supply chain operations to ensure readiness for various hazard scenarios.

  1. Supply Chain Security: Protecting critical infrastructure from supply chain threats requires a proactive approach to risk management:
    • Conducting thorough risk assessments for all major suppliers.
    • Implementing security controls to protect against both physical and cyber threats within the supply chain.
    • Integrating OSINT (Open-Source Intelligence) to gain deeper insights into supplier risks and potential vulnerabilities.

  1. Insider Threat Mitigation: We place particular emphasis on mitigating insider threats, as insiders often pose significant risks to the security of critical infrastructure:
    • Establishing rigorous workforce screening and monitoring processes for employees and suppliers.
    • Implementing regular insider threat training to ensure all personnel understand the risks and how to mitigate them.
    • Using technology solutions such as OSINT to detect early warning signs of potential insider threats.

By integrating supply chain security into overall enterprise risk management, organisations can protect their critical infrastructure assets from a wide range of threats while ensuring compliance with the SOCI Act and CIRMP Rules.

Interested in learning more? In our recently released online course on How To Establish a Supply Chain Risk Management Framework available through our eLearning Hub, we offer practical insights into how to implement these strategies effectively. The course is designed to equip leaders and practitioners with the knowledge and skills needed to strengthen their supply chains against emerging threats, ensuring compliance with the SOCI Act and the CIRMP Rules.

0
    0
    Your Cart
    Your cart is emptyReturn to Shop